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DISCLAIMER 


We are not « terrorists ». We won't release our PoC 
backdoor. 

The x86 architecture is plagued by legacy. 
Governments know. The rest of the industry : not so 
much. 

There is a need to discuss the problems in 
order to find solutions... 


This is belived to be order of 
magnitudes better over existing 
backdoors/malware 


PARENTAL 


Agenda 


Motivation : state level backdooring ? 

Coreboot & x86 architecture 

State of the art in rootkitting, romkitting 

Introducing Rakshasa 

Epic evil remote carnal pwnage (of death) 

Why cryptography (Truecrypt/Bitlocker/TPM) 
won't save us... 

Backdooring like a state 



Who am I ? 


Security researcher, pentester 
First learned asm (~15 years ago) 

Presented at Blackhat/Defcon/CCC/HITB... 

Master in Engineering, master in Computer Sciences 
Co organiser of the Hackito Ergo Sum conference (Paris) 

Likes : Unix, network, architecture, low level, finding Odays (mem 
corruptions). 

Dislikes : web apps, canned exploits. 

Super pure English accent (French, learned English in India, lives in 
Australia...;)) 



FUD 101 




Could a state (eg : China) backdoor 
all new computers on earth ? 



Occupying the Information High 
Ground: 

Chinese Capabilities for Computer 
Network Operations and 
Cyber Espionape 


This close relationship between some of China's—and the world's—largest 
telecommunications hardware manufacturers creates a potential vector for state sponsored 
or state directed penetrations of the supply chains for microelectronics supporting U.S. 
military, civilian government, and high value civilian industry such as defense and 
telecommunications, though no evidence for such a connection is publicly available. 



Prepared for the U.S.-China Economic and 
Security Review Commission 
by Northrop Grumman Corp 



NORTHROP GRUMMAN 



George Bakos 


March 7,2012 


Bryan Krekel 
Patton Adams 




More introductory material 


E Cyberdefense: les routeurs chi... J Hr* | 



fw.numerama.com/magazine/23225-cyberdefense-les-routeurs-chinois-accuses-d-etre-un-risque.html 

URL Decoder/Encoder Tasks ^Ralf Brown [m] Internet Archive: Di... HES 2012 ® HES orga My box s Google Actualites ”3 YouTube to mp3 Co... □ 

Cyberdefense : les routeurs chinois accuses 
d'etre un risque 

11 Julien L. - publie le Jeudi 19 Juillet 2012 a 16h09 - poste dans Societe 2.0 
I y Tweet 37 g+1 | ~2~| © & ® Partager 

Chine, Reseau, Windows, ZTE, Huawei 22 commentaire(s; 

Faudra-t-il se passer des equipements chinois dans le secteur des telecommunications ? Un 
rapport senatorial dedie a la cyberdefense avance cette idee, pointant du doigt les liens entre 
les industriels ZTE et Huawei et le pouvoir central chinois. Mais en matiere de cyberdefense, 
les materiels en provenance de I'Empire du Milieu ne sont pas les seuls a poser question. 

Les equipements de reseau chinois, un risque pour la 
cyberdefense ? C'est ce qui ressort d'un rapport 
senatorial conduit par Jean-Marie Bockel et 
disponible sur le site de la chambre haute du 
parlement. Si le document liste dix priorites et 
propose cinquante recommandations, I'une des 
pistes avancees par le senateur socialiste a 
particulierement surpris. 

Cette priorite, la dixieme, propose "d'interdire sur le 
territoire national et a I'echelle europeenne le 
deployment et I'utilisation de 'routeurs' ou d'autres 
equipements de coeur de reseaux qui presentent un 
risque pour la securite nationale, en particulier les 
'routeurs' et certains equipements d'origine 












Enough FUD... 

A bit of x86 architecture 
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State of the art, previous work 



Previous work 

Early 80s : Brain virus, targets the MBR 

80s, 90s : thousands of such viruses 

2007, John Heasman (NGS Software) Blackhat US: 
backdoor EFI bootloader 

2009, Anibal Saco and Alfredo Ortega (Core security), 
CanSecWest: patch/flash a Pheonix-Award Bios 

2009, Kleissner, Blackhat US : Stoned bootkit. Bootkit 
Windows, Truecrypt. Load arbitrary unsigned kernel 
module. 

2010, Kumar and Kumar (HUB Malaysia): vbootkit 
bootkitting of Windows 7. 

Piotr Bania, Konboot: bootkit any Windows (32/64b) 
2012 : Snare (Blackhat 2012): UEFI rootkittinq 



Introducing Rakshasa 
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Goals : create the perfect backdoor 


• Persistant 

• Stealth (0 hostile code on the machine) 

• Portable (OS independant) 

• Remote access, remote updates 

• State level quality : plausible deniability, non 
attribution 

• Cross network perimeters (firewalls, auth proxy) 

• Redundancy 

• Non detectable by AV (goes without saying...) 



Rakshasa : Design (1/2) 


Core components : 

- Coreboot 

- SeaBios 

- iPXE 

- payloads 

Built on top of free software : portability, non 
attribution, cheap dev (~4 weeks of work), really really 
really hard to detect as malicious . 


Supports 230 motherboards. 



Rakshasa : Design (2/2) 


Flash the BIOS (Coreboot + PCI roms such as iPXE) 

Flash the network card or any other PCI device 
(redundancy) 

Boot a payload over the network (bootkit) 

Boot a payload over wifi/wimax (breach the network 
perimeter, bypasses network detection, l(P|D)S ) 

Remotely reflash the BlOS/network card if necessary 



Rakshasa : embedded features 


Remove NX bit —> executable heap/stack. 

Make every mapping +W in ringO 
Remove CPU updates (microcodes) 

Remove anti-SMM protections —> generic local root exploit 
Disable ASLR 

Bootkitting (modified Kon-boot payload*) 

* Thanks to Piotr Bania for his contribution to 
Rakshasa :) 



Rakshasa : removing the NX bit (1/2) 

MSR !!! Model Specific Register 


AMD64 Architecture Programmer's manual (volume 2, 
Section 3.1.7 : Extended Feature Enable Register): 


No-Execute Enable (NXE) Bit. Bit 11, read/write. Setting 
this bit to 1 enables the no-execute page- 

protection feature. The feature is disabled when this bit is 

cleared to 0. 


Rakshasa 


; Disable NX bit (if supported) 

mov eax,0x80000000 
cpuid 

cmp eax,0x80000001 
jb nonsupported 

mov eax,0x80000001 
cpuid 

bt edx,20 
jnc not_supported 

movl ecx, 0xc0000080 
rdmsr 

btr eax, 11 
wrmsr 


removing the NX bit (2/2) 


; get higher function supported by eax 
; need amd K6 or better (anything >= 1997... should be ok) 

; need at least function 0x80000001 
; get Processor Info and Feature Bits 

; NX bit is supported ? 


extended feature register (EFER) 
read MSR 

disable NX (EFER NX) // btr = bit test and reset 
write MSR 


nonsupported: 




Make every mapping +W in ringO 


Intel Manuals (Volume 3A, Section 2.5): 


Write Protect (bit 16 of CRO) - When set, inhibits supervisor- 
level procedures from writing into read-only pages; when clear, 
allows supervisor-level procedures to write into read-only pages 
(regardless of the U/S bit setting; see Section 4.1.3 and Section 
4.6). This flag facilitates implementation of the copy-on-write 
method of creating a new process (forking) used by operating 
systems such as UNIX. 


Make every mapping +W in ringO 

(32b/64b) 


; 32b version : 
mov eax,crO 
and eax,Oxfffeffff 
mov crO,eax 

64b version : 
mov rax.crO 
and rax,Oxfffeffff 
mov crO,rax 



Remove CPU updates (microcodes) 


rm -rf ./coreboot/microcodes/ 



Remove anti-SMM protections (1/2) 


Intel® 82845G/82845GL/82845GV Graphics and Memory Controller datasheets, Section 3.5.1.22: SMRAM— System 
Management RAM Control Register (Device 0), bit 4 : 


SMM Space Locked (D_LCK)—R/W, L. When DLCK is set to 1, D_OPEN is reset to 0; DLCK, 
DOPEN, CBASESEG, H_SMRAM_EN, TSEG_SZ and TSEG_EN become read only. D LCK 
can be set to 1 via a normal configuration space write but can only be cleared by a Full Reset. The 
combination of D LCK and D OPEN provide convenience with security. The BIOS can use the 
D OPEN function to initialize SMM space and then use D LCK to “lock down” SMM space in the 

future so that no application software (or BIOS itself) can violate the integrity of SMM space, even if 
the program has knowledge of the D OPEN function. 






Remove anti-SMM protections (2/2) 


D_LCK is not supported by CoreBoot currently anyway... 

; disable D_LCK in Coreboot shellcode ;) 
nop 



Rakshasa : embedded features : 
conclusion 


Permantent lowering of the security level on any OS . 
Welcome back to the security level of 1997. 


Persistant, even if HD or OS is remove/restored . 



Rakshasa : remote payload 


• Bootkit future OSes 

• Update/remove/reflash firmwares (PCI, BIOS) 

• Currently capable of Bootkitting any version of 
Windows (32b/64b) thanks to special version of 
Kon-boot 



Rakshasa : stealthness 


We don't touch the disk. 0 evidence on the filesystem. 

The code flashed to motherboard is not hostile per si 
(there is one text file with urls in it., that's it). 

We can remotely boot from an alternate payload or 
even OS : fake Truecrypt/Bitlocker prompt! 

Optionally boot from a WIFI/WMAX stack : 0 network 
evidence on the LAN. 

Fake BIOS menus if necessary. We use an embedded 
CMOS image. We can use the real CMOS nvram to 
store encryption keys/backdoor states between 
reboots. 



Rakshasa : why using Coreboot/SeaBios/iPXE is 
the good approach 


Portability : benefit from all the gory reverse 
engineering work already done ! 

Awesome modularity : embbed existing payloads (as 
floppy or cdrom images) and PCI roms directly in the 
main Coreboot rom ! 

Eg : bruteforce bootloaders (Brossard, H2HC 2010), 
bootkits without modification. 

Network stacks : ip/udp/tcp, dns, http(s), tftp, ftp... 
make your own (tcp over dns? Over ntp ?) 

Code is legit: can't be flagged as malware ! 



DEMO : Evil remote carnal pwnage 

(of death) 




How to properly build a botnet ? 


HTTPS + assymetric cryptography (client side 
certificates, signed updates) 

Fastflux and/or precomputed IP addresses 

If Microsoft can do secure remote updates, so 
can a malware ! 

Avoid DNS take overs by law enforcement 
agencies by directing the C&C rotatively on 
innocent web sites (are you gonna shut down 
Google.com?), use assymetric cry pto to push 
updates. 





Why crypto won't save you... 



Why crypto won't save you (1/2) 


We can fake the bootking/password prompt by 
booting a remote OS (Truecrypt/Bitlocker) 

Once we know the password, the BIOS 
backdoor can emulate keyboard typing in 16b 
real mode by programming the 
keyboard/motherboard PIC microcontrolers 
(Brossard, Defcon 2008) 

If necessary, patch back original 
BlOS/firmwares remotely. 



Why crypto won't save you (2/2) 


TPM + full disk encryption won't save you either: 

1) It's a passive chip : if the backdoor doesn't 
want explicit access to data on the HD, it can 
simply ignore TPM. 

2) Your HD is never encrypted when delivered 
to you. You seal the TPM when you encrypt 
your HD only. So TPM doesn't prevent 
backdooring from anyone in the supply chain. 



How about Avs ?? 


• Putting an AV on a server to protect against 
unknown threats is purely cosmetic. 

• You may as well put lipstick on your servers... 



Example : 3 years old bootkit 

& /irustotal 


SHA256: 

File name: 

214ce3ce21e38ea145ba2cd52cce7e94367a2701ea5f4efda4a1 cc248fbec 1 d2 

konFLOPPY.img 


Detection ratio: 

2/43 

0 0 

Analysis date: 

2012-03-07 07:14:43 UTC (3 weeks. 3 days ago ) 



Kaspersky 

20120307 

McAfee 

20120307 

McAfee-GW-Edition Heuristic.BeHavesLike.Exploit.CodeExec.EPMG 

20120307 

Microsoft 

20120307 

NOD32 

20120307 

Norman nown vims. B.H 

20120304 




nProtect 


20120306 




Example : 3 years old bootkit (+ 
simple packer) 


0k /irustotal 


SHA256: 8575ab1 Ifi 

File name: K.lzma 

Detection ratio: 0/41 

Analysis date: 2012-03-31 


Antivirus 

AhnLab-V3 

AntiVir 

Antiy-AVL 

Avast 

AVG 

Bit Defender 

ByteHero 

CAT-QuicKHeal 

ClamAV 

Commtouch 

Comodo 

DrWeb 

Emsisoft 



20120331 

20120331 

20120331 


0 



Realistic attack scenarii 
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Realistic attack scenarii 


• Physical access : 

Anybody in the supply chain can backdoor your 
hardware. Period. 

Flash from a bootable USB stick (< 3mins). 

• Remote root compromise : 

If (OS == Linux) { 

flash_bios; 

} else { 

Pivot_over_the_MBR ; 

} 




Realistic attack scenarii 



J Description j Shipping and payments 
Item specifics 


^ Q - 





























BONUS : Backdooring the 
datacenter 
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Remediation 
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Remediation (leads) 


Flash any firmware uppon reception of new hardware with 
open source software you can verify. 

Perform checksums of all firmwares by physically 
extracting them (FPGA..): costly ! 

Verify the integrity of all firmwares from time to time 

Update forensics best practices : 

1) Include firmwares in SoW 

2) Throw away your computer in case of intrusion 

Even then... not entirely satisfying : the backdoor can flash 
the original firmwares back remotely. 



Side note on remote flashing 


BIOS flashing isn't a problem : the flasher 
(Linux based) is universal. 

PCI roms flashing is more of a problem : flasher 
is vendor dependant... 



Detecting network card 
manufacturer from the remote C&C 



ols Help 




HgiPXE-opensourcebootfirmwa... || ■£ | ’ 

^ [8J ipxe.org/scripting 



-S |il- ipxe 

a Q *> • 

ggMostVisited’ [jTasks /«Ralf Brown 

HES2012 ®HESorga □ My box [jUnux/i386system c... Reverse IP Lookup-... 

□ http://www.zonabat... http://www.mgid.co.. 

. n The Art of Assembly... ©DEFCON® 19 Hack... fjjeu d'instruction x86 



Dynamic scripts 

An iPXE script does not have to be a static text file. For example, you could direct iPXE to boot from the URL 
http://192.168.0.1/boot.php?mac=${net0/mac}&asset=${asset:u rist ring} 


which would expand to a URL such as 

http://192.168.0.1/boot.php?mac=52:54:00:12:34:56&asset=BKQ42Ml 


The boot.php program running on the web server could dynamically generate a script based on the information provided in 
the URL. For example, boot.php could look up the asset tag in a MySQL database to determine the correct iSCSI target to 
boot from, and then dynamically generate a script such as 

#! ipxe 

set initiator-iqn iqn.2010-04.org.ipxe:BKQ42M1 
sanboot iscsi:192.168.0.20::::iqn.2010-04.org.ipxe:winxp 


For the sake of backwards compatibility, iPXE will also recognise legacy gPXE scripts starting with the magic line #!gpxe. However, 
gPXE is not capable of running iPXE scripts, since the iPXE script language is substantially more advanced than the gPXE script 
language. 


Login 


Search 


_ 


_ 


scripting.txt • Last modified: 2011/12/02 21:36 by mcb30 













Backdooring like NSA China 




Backdooring like a state 


Rule #1 : non attribution 

- you didn't write the free software in first place. 

- add a few misleading strings, eg : in mandarin ;) 

Rule #2 : plausible deniability 

- use a bootstrap known remote vulnerability in a 
network card firmware 

(eg : Duflot's CVE-2010-0104) 

—► « honest mistake » if discovered. 

- remotely flash the BIOS. 

- do your evil thing. 

- restore the BIOS remotely. 


More DEMOS 
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Outro 


This is not a vulnerability : 

- it is sheer bad design due to legacy. 

- don't expect a patch. 

- fixing those issues will probably require breaking 
backward compatibility with most standards 
(PCI, PCIe, TPM). 



Questions ? 
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